Jump to content

I believe I've been targeted by an AI assisted hack infecting my UEFI bios


Recommended Posts

I'm almost certain this is the case, and I believe they were using mostly legitimate LotL attack vectors, but the result is the same, my system has been completely compromised. I thought clearing cmos, removing all my existing hard drives and using a brand new one, with a brand new USB win 11 boot drive would fix this, but upon inserting a new harddrive with a fresh install of windows with a fresh microsoft email account I soon began to notice the same tell tale signs. Here are my logs, tell me if you need anything else. Your assistance is greatly appreciated. 

Addition.txt AdwCleaner[C01].txt FRST.txt Malwarebytes Scan Report 2024-10-14 211143.txt Shortcut.txt

Link to post
Share on other sites

Further information; I believe that a virtual environment is being created that it is forcing me into, I'm familiar with virtual environments and the various quirks, and it feels awfully familiar. In addition upon first setup there were several audit logs and the computer name was changed, several user adds. Just overall extremely sus behavior.

Link to post
Share on other sites

  • Root Admin

Good day @Igotpwnedhard

Please follow the steps below

[ 1 ]

Please enable System Protection and create a NEW System Restore Point

Turn On or Off System Protection for Drives in Windows 11
https://www.elevenforum.com/t/turn-on-or-off-system-protection-for-drives-in-windows-11.3598/

Create System Restore Point in Windows 11
https://www.elevenforum.com/t/create-system-restore-point-in-windows-11.3602/

 

[ 2 ]

Please run the following AV scans and post back their logs

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

[ 3 ]

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
  • The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

 

Thank you

 

Link to post
Share on other sites

Ok I'm running the final scan now, I had already ran it with my internet off before which prevented  it from cross referencing with AI. It said no infection detected however. This checks out because I believe this to be incredibly stealthy, and to be using LotL style attacks, using privilege escalation, creating new users, using group policy, running my os through seperate shell or vm, while the hacker maintains control of the actual machine and giving me the illusion of admin for my little vm environment. I've included a couple images that show odd behavior. IMG_20241016_103336_134.thumb.jpg.236fa3e0ad39a0a824d963a0e4124786.jpgIMG_20241016_103144_113.thumb.jpg.f3e69d95e267dea13eb785172c1091e9.jpg

IMG_20241016_100839_793.jpg

Link to post
Share on other sites

  • Root Admin

Both scanners found no issues.

Pleases run the following

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • NOTE: You must allow AutoRuns to run for at least 20 minutes to complete the VirusTotal scan. If you attempt to save the file sooner it will not be complete
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please download HWiNFO the Professional System Information and Diagnostics program.
HWiNFO Portable for Windows

Unzip the program to its own folder such as: C:\HWiNFO
Go to the new folder and locate the file C:\HWiNFO\HWiNFO64.exe and double-click to run it.
Click the RUN button.
Ignore the update, click close.
Click on Save Report and choose HTML and click Next, then Finish
By default, it will create a new report named COMPUTER.HTM in the same folder as the program. C:\HWiNFO
Please zip that file and attach it to your next reply

Thank you

Link to post
Share on other sites

I'm getting the items you requested after this post, but I was spooked when getting on my machine, definitely feels like someone has remote access in some way. Also, when I booted my machine up malwarebytes is no longer working, and refuses to startup. and I found this strange process that I couldn't control at all and I tried to take a screenshot of it, but the file seems to have been corrupted. And I can't upload it on here, even though it's a png. 

Link to post
Share on other sites

  • Root Admin

Okay, let's do a CLEAN install of Windows

I'll assist you.

Do  you have the following?

 

1. Another computer in the home?
2. An external USB drive to store or save your personal data?
3. A NEW USB thumb drive or one that you can format and use that is at least 8GB or 16GB in size?

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.